Data Protection Policy

Appleford Homes Limited

 

(Young People and Adult Community Care Services)
Policy Document


Corporate Policy

Data Protection C - AFH 0026


Devised: February 2025
Date of next review: February 2026
Date for next revision: February 2027


Reviewed by: Chief Executive/Board of Directors

Introduction

 

Appleford Homes Limited needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organisation has relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards to comply with the law.


The policy below provides team members with an opportunity to familiarise themselves with the requirements in respect of processing personal data under the GDPR. Having this understanding is of vital importance to ensure we can demonstrate compliance with the terms of the GDPR and avoid the risk of non-compliance fines.


We recognise that the correct and lawful treatment of personal data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of personal data is a critical responsibility that we always take seriously.


Why this policy exists


This policy sets out how we collect, process and store personal data, in line with the requirements of the UK GDPR and Data Protection Act. This data protection policy ensures Appleford Homes:

  • Complies with data protection law and follow good practice
  • Protects the rights of staff, customers and partners
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach


Data Protection Law


The Data Protection Act 1998 describes how organisations - including Appleford Homes - must collect, handle and store personal information.


These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Data Protection Act is underpinned by eight important principles.


Article 5 of the UK GDPR states that key data protection principles, which must lie at the heart of any organisation’s data protection management regime. The ICO confirms that article 5(1) requires personal data to be:

  1. Be processed fairly and lawfully in a transparent manner (i.e., lawfulness, fairness and transparency)

  2. Be obtained only for specific, lawful and legitimate purposes (i.e. purpose limitation)

  3. Be adequate, relevant, not excessive and limited to what is necessary in relation to the purposes for which it is processed (i.e. data minimisation)

  4. Be accurate and kept up to date (i.e. accuracy)

  5. Not be held for any longer than necessary for the purposes for which the data is processed (i.e. storage limitation)

  6. Processed in accordance with the rights of data subjects. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (i.e. security, integrity and confidentiality

  7. Be protected in appropriate ways, made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data (i.e. data subject's rights and requests).

  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection, not transferred to another country without appropriate safeguards being in place (i.e. transfer limitation)


Lawfulness, fairness and transparency


This principle requires that any processing of data should be lawful, fair and transparent. Whilst they overlap, all three elements must be satisfied when processing personal data.


Lawfulness


For the processing of personal data to be lawful, a specific ground (lawful basis) must be identified. Article 6 of the UK GDPR defines the 6 lawful bases and the ICO provides the following explanation of each:

 

a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. See the Consent for inclusion in marketing activities policies for more information on consent.

b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering a contract.

c) Legal obligation: the processing is necessary for you to comply with the law.

d) Vital interests: the processing is necessary to protect someone’s life.

e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.


Where the lawful basis of legitimate interests is used as the lawful basis for processing, a legitimate interest’s assessment will be completed by the DPO prior to the processing commencing. This three-part assessment, based on the ICO’s guidance, ensures that the identified processing will be lawful.


It is also unlawful, under section 170 of the Data Protection Act 2018, to obtain personal information to use for your own aims, without either the prior consent or the knowledge of the data controller.

Fairness


The requirement of the fairness principle is that data is only processed in ways that data subjects would reasonably expect and not processed in ways that would have an unjustified negative impact on them. It is also important that data subjects are not misled when their personal data is obtained.


The DPO, when reviewing the organisation’s data processing activities, will not just determine whether data can be used but also whether it should be.

Transparency


The transparency principle is fundamentally linked to the principle of fairness. The principle requires us to be clear, open and honest with data subjects about who we are, how their personal data is used and why.


This means that data subjects must be informed about the personal data we process about them. This is linked to the right to be informed.


Rights and Data Access policy and procedure for more information). The information provided to data subjects must be concise, transparent, intelligible, and easily accessible. Data subjects are informed through privacy notices, policies or statements. These can be overarching documents, or just-in-time notices which inform data subjects just prior to the processing commencing.


All privacy information will be reviewed annually, or sooner should there be a change to the way in which the data is processed. If we plan to use personal data for a new purpose, we will update our privacy information and will make this available to data subjects, before starting any new processing.


Purpose Limitation


Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. Personal data cannot be used for new, different or incompatible purposes from that disclosed when it was first obtained, unless the new purpose is compatible with the original purpose, we have informed the data subject of the new purposes and they have consented, where necessary or there is a clear legal provision requiring/allowing the processing in the public interest.


When deciding whether a new purpose is compatible with an original purpose, the ICO advises that we consider:

  • any link between your original purpose and the new purpose
  • the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect
  • the nature of the personal data – e.g. is it particularly sensitive
  • the possible consequences for individuals of the new processing; and
  • whether there are appropriate safeguards - e.g. encryption or pseudonymisation’

In short, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is unlikely to be compatible with the original purpose.


Duties


The Registered Manager is ultimately responsible for ensuring all team members comply with this policy and understand the need to implement appropriate practices, processes, controls and training to ensure that compliance with the requirements of the GDPR is achieved and maintained.


The Data Protection Officer (DPO) is responsible for overseeing this policy and, as applicable, developing related policies and privacy guidelines.


Please contact the DPO with any questions about the operation of this policy or about the requirements of the GDPR or if you have any concerns that this policy is not being, or has not been, followed. You must always contact the DPO in the following circumstances:

  1. If you need to rely on consent and/or need to capture explicit consent.
  2. If you are unsure about what security or other measures, you need to implement to protect personal data.
  3. If there has been a personal data breach.
  4. If you need to transfer data out of the UK.
  5. If a data subject has made a request to invoke any of their rights.
  6. If you are engaging in a new, or different, processing activity.
  7. If you plan to use personal data for purposes other than what it was collected for.
  8. If you plan to undertake any activities involving automated processing including profiling or automated decision-making.
  9. If you are commencing direct marketing.
  10. If you need to share data with a third party or a new data processor.

 

People, risks and responsibilities


Policy scopes


This policy applies to:

  • The Head office of Appleford Homes Limited
  • Branch of Appleford Homes
  • All staff of Appleford Homes
  • All contractors, suppliers and other people working on behalf of Appleford Homes Limited. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998.


Data Protection Risks


This policy helps to protect Appleford Homes from some real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities


Everyone who works for or with Appleford Homes has some responsibility for ensuring data is collected, stored and handled appropriately.


Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, these people have key areas of responsibility:

  • The Board of Directors is ultimately responsible for ensuring that Appleford Homes meets its legal obligations.

  • The Data Officer is responsible for:

      o Keeping the Board updated about data protection responsibilities, risks and issues.
      o Reviewing all data protection procedures and related policies, in line with an agreed schedule.
      o Arranging data protection training and advice for the people covered by this policy.
      o Handling data protection questions from staff and anyone else covered by this policy.
      o Dealing with requests from individuals to see the data Appleford Homes holds about them (also called ‘subject access requests’).
      o Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

  • The IT manager is responsible for:
      o Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
      o Performing regular checks and scans to ensure security hardware and software is functioning properly.
      o Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

 

General Staff Guidelines

  • The people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
  • Appleford Homes will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • Strong passwords must be used, and they should never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

 

Data Storage


These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.


When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

  • When not required, the paper or files should be kept in a locked drawer or filing cabinet.
  • Employees should make sure paper, and printouts are not left where unauthorised people could see them, like on a printer.
  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

  • Data should be protected by strong passwords that are changed regularly and never shared between employees.
  • If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
  • Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
  • All servers and computers containing data should be protected by approved security software and a firewall.

 

Data Use

 

Personal data is of no value to Appleford Homes unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
  • Personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure.
  • Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
  • Personal data should never be transferred outside of the European Economic Area.
  • Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.


Data Accuracy


The law requires Appleford Homes to take reasonable steps to ensure data is kept accurate and up to date.


The more important it is that the personal data is accurate, the greater the effort Appleford Homes should put into ensuring its accuracy. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
  • Appleford Homes will make it easy for data subjects to update the information Appleford Homes holds about them. For instance, via the company website.
  • Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
  • It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.


Subject Access Requests


All individuals who are the subject of personal data held by Appleford Homes are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.


Subject access requests from individuals should be made by email, addressed to the data controller at admin@applefordhomes.co.uk. The data controller can supply a standard request form.

 

Disclosing Data for Other Reasons

 

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.


Under these circumstances, Appleford Homes will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

 

Providing Information


Appleford Homes aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, Appleford Homes has a privacy statement, setting out how data relating to individuals is used by the company.


Consent


Consent is one of the lawful bases for processing personal data. Whilst we have consent for inclusion in marketing activities policies (for residents, team members and external stakeholders), this section provides guidance on consent in general.


Consent is defined in Article 4(11) of the UK GDPR as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In short, the criteria for valid consent are thus:

  • It must be freely given – this means data subjects should have a genuine choice over whether to give their consent to a type of processing, or not.
  • It must be specified and informed – this means data subjects should be aware of the identity of the data controller, the purpose of the processing (including separate, granular consent for different processing operations).
  • It must be given by an unambiguous indication - it must be obvious that the data subject has consented and what they have consented to. This requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree.

There may be times where explicit consent must be given. Consent that is inferred from someone’s actions cannot be explicit consent however obvious it might be that they consent.


Explicit consent must be expressly confirmed in words (either orally or in writing).


Consent is seen to degrade over time, but how long it lasts will depend on the context in which it was given. Consent cannot be implied, or bundled together, with other terms and conditions. As such, consent forms must be given separately and distinctly from other documents. Data subjects should also be given time to read and understand consent paperwork/forms.


We should also bear in mind that consent is more difficult to obtain where there is an imbalance of power e.g., between an employer and an employee. As such, data subjects can refuse to give, or withdraw consent, without any detriment or ill-treatment. We will take reports contrary to this, very seriously and these may be dealt with in line with our Disciplinary/Grievance procedures.


Article 7(1) of the UK GDPR requires data controllers to record the consent given by data subjects. Good records should include who consented, when they consented, the information the data subject(s) was given at the time, how the data subject consented and whether they have withdrawn consent.


Using consent as a lawful basis, must first be approved by the DPO. The DPO will ensure that the correct consent paperwork and privacy information has been created, prior to the start of the processing.


Data processing agreements 


Data controllers are required to have a written contract in place with each data processor. Contracts must include certain specific terms as a minimum, such as requiring the processor to take appropriate measures to ensure the security of processing and obliging it to assist the controller in allowing individuals to exercise their rights under the UK GDPR. Where service contracts do not contain the required information, a data processing agreement will be signed by both parties. The internal relationship lead is responsible for ensuring that the necessary contract or agreement is in place, for each data processor they are responsible for.


Recording and reporting personal data breaches

 

The organisational expectations in relation to how team members should respond to personal data breaches, is detailed in our Personal data breach policy. However, in short, the Information Commissioner’s Office (ICO) defines a personal data breach as a ’breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.’


Within Appleford Homes, the team should log all data breaches using the ‘data breach’ as the subject and should be reported to the Data Protection Officer, by email, on admin@applefordhomes.co.uk


Action Fraud is the UK’s national reporting centre for fraud and cybercrime where you should report fraud if you have been scammed, defrauded or experienced cybercrime. You can report fraud or cybercrime using their online reporting service any time of the day or night; the service enables you to both report a fraud and find help and support. You can talk to their fraud and cybercrime specialists by calling 0300 123 2040

 

Signed: Comfort Tijani
Print Name: Comfort Tijani
Position: Company Secretary
Company: Appleford Homes Limited
Date: February 12, 2025